Yes it makes sense. Good sense. From: Jeremy Anderson [mailto:[email protected]] Sent: Tuesday, April 28, 2009 12:29 PM To: NT System Admin Issues Subject: RE: Password Policy - - how do you handle this?
Yes, the min password age requires the passwors to be at leaste 24 hours old before a user can change it. The theory of having a 1 day minimum is so that the users cant just cycle through 10 Passwords and go back to the password they used when it expired. (does that make sense?) Passowrd Policy is that password expires after 90 days, 10 passwords remembered, Min Password age 0. On the 89th day the user changes their password 11 times back to the expiring password. Changein the Min password age to 1 would prevent that from happening. Thats the security guys logic. Jeremy ________________________________ From: Sean Rector [[email protected]] Sent: Tuesday, April 28, 2009 9:10 AM To: NT System Admin Issues Subject: RE: Password Policy - - how do you handle this? IIRC, Min. Pwd. Age is the minimum time before they can change their own password - as in this process: 1. I reset their password. Check box for must reset upon next logon. 2. User logs on. They're prompted to change their pwd. & they do. 3. Within the next 24 hours, they're not allowed to change their pwd. again. Sean Rector, MCSE From: Holstrom, Don [mailto:[email protected]] Sent: Tuesday, April 28, 2009 12:04 PM To: NT System Admin Issues Subject: RE: Password Policy - - how do you handle this? At the last place I was at, a p .r. firm, an outside "computer expert group" recommended that we set everyone's password to password. I couldn't stop laughing, but the operating v.p. wasn't laughing, I recall. There are large groups of companies who do this, apparently. I left soon, for other reasons, don't know what they did... Here at the Museum, when I showed up, seven years ago, everyone's password was password. When I set them up with OWA, I made them all adopt a password. Many complained. Our outside auditing firm made me give passwords a 50-day life. I also added the three-of-four rule, they liked that. Changing passwords each day would be a bit much for these folks. But I know three people (one is my neighbor) who have one-minute-password key chains, so... From: Sean Rector [mailto:[email protected]] Sent: Tuesday, April 28, 2009 11:54 AM To: NT System Admin Issues Subject: RE: Password Policy - - how do you handle this? I do it, and it 1) doesn't create heartburn for our folks and 2) it does prompt my folks for the reset pwd upon next logon. Sean Rector, MCSE From: Jeremy Anderson [mailto:[email protected]] Sent: Tuesday, April 28, 2009 11:40 AM To: NT System Admin Issues Subject: Password Policy - - how do you handle this? The security guy is insisting that we set the Min Password Age to 1 day. I agree in theory that this is a swell idea, but in practice, I think it will be a disaster. We have users that forget their passwords every other day (Don't ask) and company politics that are going to let this bad habit continue. Admins reset the password, and set the flag that says "Must change password on next logon" I say, that the user will never get prompted to reset the next time they login, or that changing it will fail, because the password is now less than one day old. Security guy says "Not having that set is a bad idea, other companies do it, make it happen" How do you guys deal with this? Thanks Jeremy Information Technology Manager Virginia Opera Association E-Mail: [email protected]<mailto:[email protected]> Phone: (757) 213-4548 (direct line) {+} Virginia Opera's 35th Anniversary Season<http://www.vaopera.org> The One You Love Celebrate with a 2009-2010 Subscription: La Bohème<http://www.vaopera.org/html/currentoperas/opera1.cfm>, The Daughter of the Regiment<http://www.vaopera.org/html/currentoperas/opera2.cfm>, Don Giovanni<http://www.vaopera.org/html/currentoperas/opera3.cfm> and Porgy and BessSM<http://www.vaopera.org/html/currentoperas/opera4.cfm> Visit us online at www.vaopera.org<http://www.vaopera.org> or call 1-866-OPERA-VA ________________________________ This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. {*} ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
